VPN Problems

dlink377 · July 18, 2014, 5:28am

Hi,

I have set up a very simple PPTP server on my VPS (CentOS 6.5 32bit 512MB) based on this https://www.digitalocean.com/community/tutorials/how-to-setup-your-own-vpn-with-pptp (I am new to Linux environment).

I tried using Mac, Windows, Android, and Mikrotik and all can connect successfully.

However, I failed to make Mikrotik respond from the VPN server, only the server can ping to Mikrotik. Other clients cannot talk to Mikrotik. However, Mikrotik can access other clients (ping, etc).

Other client such as Mac successfully communicated with other client like Windows no problem at all.

VPN Client IP Range is: 10.201.0.101-254
Mikrotik IP Range is: 10.1.1.0/24, Mikrotik is a client to the VPN with IP 10.201.0.101

I’ve tried manually create route for Mikrotik:
A S 10.201.0.0/24 konata-pptp 10

This is a icmp connection listed in my connection list in Mikrotik. Source of ping is 10.201.0.103

I also cannot connect to any IP range in Mikrotik from VPN client (10.201.0.103 can’t connect to anyone at 10.1.1.0/24)

Thank You

jarda · July 18, 2014, 5:44am

You probably forget to set the routes in mikrotik to be able to reach the networks behind the PPTP server. Check the routes.
Or you did so but the routes could be somehow invalid. Also firewall rules can block the communication.

dlink377 · July 18, 2014, 5:51am

Here are the routes regarding PPTP connection

Here are the firewall rules:

 1   ;;; default configuration
     chain=input action=accept protocol=icmp 

 2   ;;; default configuration
     chain=input action=accept connection-state=established 

 3   ;;; default configuration
     chain=input action=accept connection-state=related 

 4   ;;; WinBox WAN
     chain=input action=accept protocol=tcp dst-port=8291 

 5   ;;; default configuration
     chain=input action=drop in-interface=ether1 

 6   ;;; default configuration
     chain=input action=drop in-interface=konata-pptp

I don’t see anything wrong?

kameelperdza · July 18, 2014, 6:21am

If I read this correctly you say that you cannot ping or communicate with the mikrotik?

I see in your firewall rules that you drop “in-interface=ether1” and “in-interface=konata-pptp”.

Have you tried disable those rules?

dlink377 · July 18, 2014, 6:26am

I tried to disable both of the drop rules, but other client still cannot communicate with Mikrotik. Mikrotik can communication both to server and client, but only server can communicate with Mikrotik, the client unable to.

I think the mikrotik does receive the ping connection, because the allow ICMP rules incoming packet does increase, but somehow cannot reply back to other client (10.201.0.103)

docmarius · July 18, 2014, 6:34am

Forwarding has to be enabled on the server between client interface and MT VPN interface.
Maybe you have some firewall forward rules on your server preventing the reply from MT to reach the clients…

Any forward rules in the MT firewall?

First, isolate the problem:
Run a trace on the server to see if replies come from MT.
Or at least put a rule on the output chain on MT to allow icmp and check if those numbers increase also.

Until you know the exact location of the issue, all discussions are speculative. It is possible that you look in the wrong place.

But this is kind of strange. In your tunnel setup, you use a public ip as one end point, and a private IP on the other?
Does your MT have a direct internet connection, too?

dlink377 · July 18, 2014, 6:42am

I don’t really understand Linux, but from what I know Linux only use iptables for this kind of matter right? Here are the dump of iptables-save:

http://pastebin.com/3k9JWASm (I cannot paste it here because of too many smileys??)

Connection from one client to another client can be made successfully. I can mount SMB shares, ping, access service with no problem at all. However, connection from other client to Mikrotik cannot be made.

But this is kind of strange. In your tunnel setup, you use a public ip as one end point, and a private IP on the other?
Does your MT have a direct internet connection, too?

MT have a internet connection (dynamic ip address given) on ether1 (ADSL router, but DMZ-ed).

Maybe I will make a simple diagram so I can describe it better.

Thank You.

kameelperdza · July 18, 2014, 6:44am

Also add this if you there is no such rule already.

/ip firewall nat add chain=srcnat action=masquerade src-address=10.201.0.0/24

It should allow you to communicate with iprange 10.1.1.0/24

docmarius · July 18, 2014, 6:51am

FW rules seem ok.
But why don’t you use a private address, e.g. 192.168.0.1, as your local address on the tunnel?

dlink377 · July 18, 2014, 7:33am

I already had masq rules before.

I’ve tried your command but still not working, I even tried masq the local traffic.

I thought all with 10.x.x.x 192.168.x.x are private address?

This are my super simple network map:

kameelperdza · July 18, 2014, 8:31am

try doing a traceroute form the mikrotik, server and also client.

That might show you where the packets stop.

dlink377 · July 18, 2014, 9:54am

From Server:
Mikrotik (10.201.0.101): Traceroute failed (* * *), but ping ok, however i got the ip from the public IP (internet IP) of the mikrotik, not 10.201.0.101
Client (10.201.0.102): traceroute ok, one hop, ping ok

From Mikrotik:
Server (10.201.0.1): Traceroute ok, one hop, ping ok
Client (10.201.0.102): Traceroute ok, two hop (10.201.0.1->10.201.0.102), Ping ok

From Client:
Server (10.201.0.1): Trace route ok, one hop, ping ok, from the correct IP
Mikrotik (10.201.0.101): Trace route failed (10.201.0.1 → * * *), Ping RTO

kameelperdza · July 18, 2014, 10:22am

Check your default gateway and dns on server and client.

kameelperdza · July 18, 2014, 10:35am

Im don’t know much about Linux, but maybe you can try to bridge pptp-internface with Ethernet-interface on the server?

jarda · July 18, 2014, 12:30pm

Try to put preferred source ip to your 10.201.0.0/24 route.

dlink377 · July 18, 2014, 6:41pm

Server gateway it says
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 venet0
10.201.0.101 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
DNS i suppose is the local network DNS server (data center DNS server?)

Client (Mikrotik) gateway is
1 for the ether1 (ADSL Modem), and 1 for the pptp connection (somehow i cannot disable this, status is DS)
DNS for Mikrotik is google DNS, however for the client (except mikrotik) all DNS (53) is redirected to OpenDNS Port 5353, because the local ISP intercept the DNS traffic.
chain=dstnat action=dst-nat to-addresses=208.67.222.222 to-ports=5353 protocol=udp dst-port=53

If I bridge ethernet and ppp interface, are the outside network might access my vpn network?

new routing

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 X S  0.0.0.0/0                          konata-pptp               1
 1 A S  0.0.0.0/0                          10.1.2.1                  1
 2  DS  0.0.0.0/0                          10.201.0.1                1
 3 ADC  10.1.1.0/24        10.1.1.1        bridge-local              0
 4 ADC  10.1.2.0/24        10.1.2.2        ether1                    0
 5  DC  10.1.254.0/24      10.1.254.1      wlan4                   255
 6  DC  10.2.1.0/24        10.2.1.216      ether2                  255
 7 A S  10.201.0.0/24      10.201.0.101    konata-pptp              10
 8 ADC  10.201.0.1/32      10.201.0.101    konata-pptp               0

ether2 is second WAN for future, never used
wlan4 is hotspot network (virtualap)
bridge-local is local network (ether3+ether4+ether5+vif1+wlan1+wlan2+wlan3)

Still no joy.

thenoob · December 22, 2017, 10:18pm

from what i understand you are doing a spider mesh vpn basically everything is connecting true a central node , in this kind of scénario you need to have a routing protocol if not you will need several routes and those routes will need to be passed on to other client . for routing to take place you need 2 routes per network range , one going up one going down. in your case you need 2 routes for the “mac” network , 2 for the mikrotik network one for the pptp server network range and 2 for the win 8 client.

so to do the network you
would need the following routes:
all: make sure pptp range that is assigned is /24 ( and that there is a "connected route towards 10.201.0.0/24)
win8: (just the above)
mac : you need to have the above route ( to communicate with win8 ) but also you need a route towards 10.1.1.0/24 going up towards pptpd
pptpd: needs a “connected” interface in the 10.201.0.0 /24 but also a route towards 10.1.1.0/24 pointing to the mikrotik client interface.(its pptp tunnel interface)
mikrotik , needs the nat rule for “ether1”/wan interface but also for pptpd interface. it also needs the above route. so that it knows the mac client ( and win8 by extension)

if the firewall is not blocking then most likely its a routing issue : from the looks of it the issue would be on the pptpd

a “route” command would show this on the linux . please note that the source of the pptpd should be “virtual”/loopback or a bridge interface.

edit :
try adding a route from 10.1.1.0/24 towards 10.201.0.101 in the pptpd server

dlink377 · December 23, 2017, 3:14am

-delete-

dlink377 · December 23, 2017, 3:23am

I was aiming mesh topology and star topology (using VPN server) as backup. Now this is for the star topology.

Sorry for not updating this thread, but this is what I do to make it work:

Setup PPTPD server on Linux VPS/Server
enter client username password and give static IP on chap-secrets
Setup ip-up and ip-down script for each client, so it always get the correct route on server. -net is local subnet, -gw is the ip address of vpn client

ip-up

ip-down

setup pptp client connection on mikrotik on each client
masquerade the PPTP client connection
setup route for each client… technically you can just redirect all 10.0.0.0/8 but I use mesh as main connection to other site so it will be changed by script frequently.

setup on both site of the client. should be work after that.

for clients, I just setup route on the PC. maybe will move to a better VPN solution than PPTPd